On 21.02.13 08:59, Robert Moskowitz wrote:
I am reading: https://www.isc.org/software/bind/faq and 'What has
changed in the behavior of "allow-recursion" and
"allow-query-cache" '.
I am struggling here trying to match up the various access
control features, particularly when we are suppose to have
different views for different clients.
So for my internal view where I:
match-clients { httnets; };
match-destinations { httnets; };
recursion yes;
allow-query { httnets; };
On 02/21/2013 10:40 AM, Matus UHLAR - fantomas wrote:
allow-query is useless here, unless you have disabled it somewhere.
the match-clients does enough.
On 21.02.13 11:08, Robert Moskowitz wrote:
No. allow-query made my internal view available to my local clients.
allow-query defaults to all. match-clients directs your internal clients to
the internal view and unless you have disabled querying elsewhere, allowing
it is not important.
Check my earlier posts here. I was down here with just the
match-clients and without the allow-query; all local hosts were
getting denied access. It was painful for a little while.
Probably they did not have a recursion enabled. allow-recursion defaults to
local networks, if not specified directly or by allow-query-cache.
Do I also add
allow-query-cache { httnets; };
???
you apparently want to turn on recursion for your clients, which
means, you
should use "allow-recursion" and let allow-query-cache be teh same by
default.
Recursion seems to be working with just "recursion yes" here.
Recursion by itself, yes. But the default for allow-recursion might not be
enough for you.
In fact, you can use "allow-recursion { all; };" and still only internal
clients (in internal view) would have it allowed.
What does allow-recursion add with given all the other restrictive
clauses?
It allows specified clients to use recursion. Both allow-query-cache and
allow-recursion default to the other one, when only one is specified.
However, allow-recursion gives a better idea of what is really allowed.
And for the external view where:
match-clients { any; };
match-destinations { any; };
allow-query { any; };
recursion no;
Do I add:
allow-query-cache { localhost; };
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
